[Q] What do I look when I searching for a hacker on script logs?

[n4ndoz 20]

Hey, guys.

I know this sounds like a dumb or noob question, but I think at all it isn't.

It all started yesterday, when a hacker popped on our server fucking everybody in-game.

We stopped the server for good, but the poor guys who was logged at the time lost all their stuff for that (gay) Deathmatch stuff.

I already know basically how does the script structure works on Arma2, but what I don't know is about the legal scripts, about what is supposed to contain on a script.log, etc.

I didn't slept last night and won't until I figure out some stuffs. So, I decided to write a little java program to scann the logs for strange scripts.

But, after reading the stuff for more than 5 hours, I could not find nothing strange or out of normal. Just because I don't know what is the "normal". LOL

So, I ask you, guys:

1- Is there another proceedure my noob brain let past?

2- Is there any kind of database of what can be executed or not?

3- I'm analyzing the scripts.log + server_console atm, is there another file I need to take a look??

4- From what I know, DayZ is run modularized, with a huge script executing little modules. I was studying what ppl do atm and saw that they bypass battleye with a... eeerh.. bypass. So, does this bypass alter script names, or just erase them from my logs(what I think is impossible), or they kind of inject the hacked scripts on legal scripts so it is impossible for me to detect them?

I just need this info so I can make the stay on my servers safe for everyone.

A group was playing in there and lost all their stuff but they keep playing on my server and are nice guys, so, this way I wan't it to be safe for them and for everyone else to call my server home.

Thanks in advance for all of you who take a moment to read and answer to my questions. =)

(Grizzlore and group, thanks for you cooperation yesterday)

[ninjaholic 116]

fucking everybody in-game.

He didn't shoot anyone? He just had sex with them?

[pepperkorn@gmail.com 94]

scripts.log is so broken right now it's not even worth using IMO. The current default scripts.txt that they give you to tell what to log and what not to log is worthless.. and now there's a BE bypass (which just makes it so you can join a server and never get 'scanned' by the servers battleye.

Anyone running this bypass will never get scanned or logged at all. So even if they do run a detected script you'll never know about it.

I welcome you to check out my progress here: http://dayzmod.com/forum/index.php?/topic/39628-dayz-server-suite-name-pending-alpha002-on-pg-3/#entry377033

[verius (DayZ) 4]

I am not sure how BE bypass works but wouldn't it be possible to look at the server logs and see that battleye server did not check them and instantly ban that user.

When you look at the logs you see the user connect

Then you see the ID for that users Arma2 account

Then you see battleye server stuff.

I would assume someone that is way better at coding then me would be able to figure out a way to parse the logs and see user A logged in with ID of xxxxxxxxxx. After that no Battleye server responses for that user happens so that user gets kicked / banned from server. It would put a load on the server because it has to scan the log but it would prevent BE bypass users from being able to stay connected. Again this all an assumption and you know what they say about that.

[pepperkorn@gmail.com 94]

I am not sure how BE bypass works but wouldn't it be possible to look at the server logs and see that battleye server did not check them and instantly ban that user.

When you look at the logs you see the user connect

Then you see the ID for that users Arma2 account

Then you see battleye server stuff.

I would assume someone that is way better at coding then me would be able to figure out a way to parse the logs and see user A logged in with ID of xxxxxxxxxx. After that no Battleye server responses for that user happens so that user gets kicked / banned from server. It would put a load on the server because it has to scan the log but it would prevent BE bypass users from being able to stay connected. Again this all an assumption and you know what they say about that.

unfortunately there are 2 seperate logs. There's the RPT log file which logs players when they join/update to hive/ and disconnect, this has nothing to do with battleye.

So if they are running a bypass they will show up in the RPT the exact same as everyone else.

[verius (DayZ) 4]

Well you have the .RPT log but you also have the server_console.log which is the one i was talking about.

If they are running the bypass do they not show up in the server_console.log file?

[n4ndoz 20]

I am not sure how BE bypass works but wouldn't it be possible to look at the server logs and see that battleye server did not check them and instantly ban that user.

When you look at the logs you see the user connect

Then you see the ID for that users Arma2 account

Then you see battleye server stuff.

I would assume someone that is way better at coding then me would be able to figure out a way to parse the logs and see user A logged in with ID of xxxxxxxxxx. After that no Battleye server responses for that user happens so that user gets kicked / banned from server. It would put a load on the server because it has to scan the log but it would prevent BE bypass users from being able to stay connected. Again this all an assumption and you know what they say about that.

unfortunately there are 2 seperate logs. There's the RPT log file which logs players when they join/update to hive/ and disconnect, this has nothing to do with battleye.

So if they are running a bypass they will show up in the RPT the exact same as everyone else.

Well you have the .RPT log but you also have the server_console.log which is the one i was talking about.

If they are running the bypass do they not show up in the server_console.log file?

I was just thinking about it.

Well, guys, I will put my coding fingers to work, and if all go ok I will try to output something good until next week.

If any of you can do it faster, please, do it.

One last question.

Is this info confirmed?

When a bypassed player logs in it shows up at brt but not on the other files? The BE related ones?

[Kyodan 0]

I would like to know this as well, as I've been noticing people reporting an increase in hacks, and I haven't had time to properly admin my server. I, too, am confused as to what to look for.